As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Information handling systems often use an array of physical storage resources, such as a Redundant Array of Independent Disks (RAID), for example, for storing information. Arrays of physical storage resources typically utilize multiple disks to perform input and output operations and can be structured to provide redundancy which may increase fault tolerance. Other advantages of arrays of storage resources may be increased data integrity, throughput, and/or capacity. In operation, one or more storage resources disposed in an array of storage resources may appear to an operating system as a single logical storage unit or “virtual storage resource.” Implementations of storage resource arrays can range from a few storage resources disposed in a server chassis, to hundreds of storage resources disposed in one or more separate storage enclosures.
Increasingly, various mechanisms have been employed in order to ensure the integrity of data read to and written from storage resources, including “end-to-end” data protection from the application to the storage resource. An example of such a mechanism is the T10 protection information model (PIM), which is illustrated in FIG. 1. As shown in FIG. 1, a data block 100 to be written to a storage device may include data 102 and a data integrity field (DIF) 104. DIF 104 may itself include one or more subfields, such as, for example, a data block guard 106, a data block application tag 108, and a data block reference tag 110. Data block guard 106 may include an error-detecting code based at least in part on the value of data 102, e.g., a cyclic redundancy check (CRC). Data block application tag 108 may include metadata indicative of the particular application to which the written data is associated. Data block reference tag 110 may include information associated with a specific data block within some context, for example the least-significant two or four bytes of the logical block address (LBA) of the write command associated with data 102.
When a storage resource receives a read request for data block 100, a controller associated with the storage resource may check data block 102 against the stored DIF 104 to ensure that the data returned as part of the read request is valid (e.g., the data block guard 106 does not indicate corrupted data and that the data is associated with the LBA referenced in the read command). If the DIF 104 indicates an integrity error, a controller associated with the storage resource may return an error message, indicating a data integrity error.
In addition, various encryption techniques have also been used to encrypt data written to storage resources in order to secure data. For example, full disk encryption (FDE) is a technique whereby software, hardware, or a combination thereof encrypts substantially every bit of data written to a physical storage resource. Using FDE, all data written to a storage resource may be encrypted with an encryption key when written to the storage resource and decrypted with the key when read from the storage resource. Any suitable technique known in the art may be used to manage and/or store the encryption key, so as to provide a desired level of data security.
Because an FDE-enabled storage resource encrypts substantially every bit of data stored on thereon, it may be quickly and securely “deleted” or “erased” cryptographically by simply discarding a presently-used encryption key and replacing it with a new key for future data stored on the drive. However, this cryptographic erase operation may create difficulties when used in conjunction with PIM or similar mechanisms for end-to-end data protection. To illustrate, an FDE-enabled storage resource may not distinguish between a data block 102 and its associated DIF 104. Thus, when a data block 102 and its associated DIF 104 are stored on an FDE-enabled storage resource, both the data block 102 and the DIF 104 are encrypted. Accordingly, after a cryptographic erase, the storage resource may return a DIF error message in response to a read request in situations in which data has not been written to the storage resource from the time of the cryptographic erase (e.g., a valid DIF 104 encoded with a first key may not be valid when decrypted with a second key). In many instances, this may not be an issue as one does not often read data from a storage resource to which data has not been previously written.
However, in a storage array environment (e.g., a RAID array), difficulties may arise in connection with the initialization of a virtual storage resource. During such an initialization, I/O operations may take place whereby the redundant nature of a storage array is created and maintained. For example, in an initialization for an array using mirroring, an operation may take place whereby data is read from one physical storage resource and copied to another. As another example, in an initialization for an array using parity-based redundancy, an operation may take place whereby data is read from a plurality of physical storage resources of the array and parity data is written to one or more physical storage resources of the array. Accordingly, during initialization, a read request may occur to a portion of a physical storage resource to which data has not been written from the time of a cryptographic erase of the physical storage resource. Such a read request may therefore generate a DIF error, as the initialization may be unable to determine whether the error is due to a cryptographic erase or due to a bona fide DIF error.